Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Restricting access to corporate devices

We are evaluating Checkpoint VPN and one of the things it needs to do is control client access based on whether the devices is corporate or non-corporate.

What we need it to do is the following:

  1. Corporate owned devices (Windows, Mac, Linux, iOS,Android) need to be able to connect to the VPN and have access to all internal and DMZ based systems. Authentication will be done with with LDAP (Active Directory)
  2. Contractors need to be able to connect to the VPN and access certain systems in the DMZ. Authentication will be done with with LDAP (Active Directory).

In an ideal world I would like to be able to push a certificate to the corporate machines and have this inspected at VPN connection time, and then based on this allow the machine into the internal network. For Windows we have Group Policies/SCCM and for Mac we have Jamf so we can push what every we need. The contractors would get access based on their username/password.

Basically I want to stop an employee from going to Aldi and buying a PC, then use this to connect to the internal network through VPN using their username and password, 

How can Checkpoint do this, any ideas?

 

12 Replies
Highlighted
Sapphire

I would suggest to use ESOD (Endpoint Security on Demand) with SNX, see Remote Access VPN Administration Guide R80.20 p. 132ff ! This makes it possible to use e.g. a Win registry key deployed by GPO to differentiate between corporate and contractors PCs.

0 Kudos

Great thanks! How do I differentiate between Windows and non-Windows machines in the policies. I am more interested in stopping private Windows machines than Mac or Linux. Is is a case to looking at the client type, meaning having multiple lines for the internal employees each with a different client version?

I have also seen that I can check if the machine is in a specific AD group, has anyone had any success with this and will it also work with Mac (if they are registered in the domain)?

0 Kudos
Highlighted
Sapphire

Please first have a good read through R80.20 Remote Access VPN Administration Guide and afterwards, after digesting the conatined information, ask the questions that have been left over !

0 Kudos
Highlighted
Platinum

all you need is one-two day PS Consultant 🙂 and job done!
Jerry
0 Kudos
Highlighted
Bronze

Hello,

were you able to find a solution?

0 Kudos
Highlighted
Gold

I think best solution doing that will be using Secure Configuration Verification (SCV).
The client is checked for compliance before they can connect.
Follow Secure Configuration Verification (SCV) 

Wolfgang

 

0 Kudos
Highlighted
Bronze

Hello,

Thanks fo reply. In fact I read about SCV already but I am a bit lost in all the flavours and products. 

So SCV will not check compliance for Mac OS, which I think will make device non-compliant immediately upon connecting to VPN. My overall challenge is very simllar as for original poster.

 

company laptop (only windows) -> Remote Access -> resource A, B

any other device (windows + Mac OS) -> Remote Access -> resource A

 

I was investigating as well SmartEndpoint suite, but at first try it looks good, but probably not the right tool to achieve such setup. 

 

0 Kudos
Highlighted

This is a very interesting topic that would be very nice to have in a GUI.

What I read from sk sk147416 about SCV is that it also requires a desktop policy, so we have to go to the old SmartDashboard to create a firewall policy. Ok, that's doable but doesn't that require a higher license and EndPoint Security?

=> The compliance checks is supported by Endpoint Security Client, Check Point Mobile for Windows, Full Suite version

With the active marketing the names of the vpn client are changing every year :'s

I thought Check Point Mobile for Windows (apparently new name for EndPoint Connect) is not able to use a desktop policy but apparently can use SCV. This is confusing. So we create a fake desktop policy and enable Policy server and then we edit the scv text file.

 

Let's say it just works then:

SCV can check a registry key as well: Registry Monitor: Verifies System Registry keys, values, and their contents. 

So we could just add a key somewhere using a GPO and then we have an easy way to check the clients. Of course this will then only work for Windows. I noticed you could create exceptions so you can allow some access to those who fail the check.

I'd like to see Check Point's recommendation or a real how-to guide to do this. Does anyone have a link for that? The sk on itself is already pretty good though so if I'd have the time I can start trying this out.

A lot of current home workers are using their own personal computer instead of their company laptop to VPN in so it seems really interesting to be able to control this.

0 Kudos
Highlighted
Copper

Hi Jeroen,

It's not a official Check Point guide but I wrote a detailed howto on my blog: https://namitguy.blogspot.com/2020/04/implementing-secure-client-verification.html

This covers both the gateway and endpoint configuration.

Let me know if anything is not clear.

Ruan

Highlighted
Bronze

Hi there,

Does anyone know what happens when Mac OS connects to the gateway where SCV check is enforced? SCV does not support Mac OS, so does it mean such client will be marked as non-compliant?

0 Kudos
Highlighted
Gold

Connection is not allowed until you set the following:

Traffic from Mac OS is dropped and "SCV client configuration is not verified" error is displayed 

Wolfgang

Highlighted
Bronze

Many thanks for your reply. TAC is still working on another issue regarding Desktop policy installation problem, which is blocking me to actively test it.

This looks very promissing indeed, as in such case even without enabling :allow_non_scv_clients (true) I can setup SCV exception to allow non-verified clients to some VPN resources. 

0 Kudos